CVE-2021-32625

Name
CVE-2021-32625
Description
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/redis/redis/security/advisories/GHSA-46cp-x4x9-6pfq
MISC https://github.com/redis/redis/releases/tag/6.0.14
MISC https://github.com/redis/redis/releases/tag/6.2.4
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
Third Party Advisory https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:x84:* redis >= 6.0.0 < 6.0.14
cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:x84:* redis >= 6.2.0 < 6.2.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status